1. Technical Field
The present invention relates to data processing systems in general and in particular to improved methods of providing access control for a plurality of resource objects within a distributed data processing system. Still more particularly, the present invention relates to a system which permits variable authority level access control throughout a distributed data processing system.
2. Description of the Related Art
Security and access control systems in computer based data processing systems are well known in the prior art. Existing access control systems are generally oriented to a single host system. Such single host access control systems are generally utilized to provide security for the host and access control to applications and system resources, such as files. Each application must generally provide access control for the resources controlled by that application.
One example of an access control system designed for utilization with the IBM 370 system is a product called RACF, or Resource Assets Control Facility. RACF offers access control for applications, such as files or CICS transactions and is hierarchically oriented in access authority levels and grouping of users. RACF is a "password" oriented access control system and access is granted or denied based upon a user's individual identity and his or her knowledge of an appropriate password to verify that identity. The RACF system is, however, oriented to a single host system and cannot be employed in a distributed data processing system which employs multiple hosts associated with separate groups of resource objects, due to the fact that this system does not allow the interchange of access control information from one host to another. Further, the RACF system does not permit a user to access a resource object at one of a plurality of authority levels. That is, for example, it may desired to permit a user to read a particular resource object, but not alter that object.
Another example of known access control systems is AS/400. The AS/400 system is a capability based system in which security is based upon each individual resource object. Each user is authorized to access individual resource objects based upon the user's capability within the system. The AS/400 system maintains security by keeping User Profiles, Object Authority, and System Values within the architecture of the machine itself. As above, this system is highly efficient at controlling access to resource objects controlled by a single host; however, access to resource objects located within a distributed data processing system containing multiple hosts cannot be controlled. That is, access to a resource object controlled by one host cannot be obtained by a user enrolled at a second host. As above, the AS/400 system does not permit the system controller to vary the level of authority enjoyed by a particular user with respect to a selected resource object.
One other example of an access control system is the DB2 product. This product permits a more flexible access control and offers granular or bundled access control authority. For example, the DB2 system may utilize special authorities for administration or database operations. Further, access privilege may be bundled into a specified authority or role so that a user may access specific resource objects based upon the user's title or authority level, rather than the user's personal identity. However, as above, the DB2 system does not possess the capability of exchanging access control information with non-DB2 applications.
Therefore, it should be obvious that a need exists for a method of providing variable authority level user access control in a distributed data processing system whereby access to selected resource objects may be controlled throughout the distributed data processing system by specifying the level of authority associated with a specific user for a selected resource object and then only permitting access to that resource object to the extent previously specified.